Wednesday, November 7, 2012

HowTo: Linux Hard Disk Encryption With LUKS [ cryptsetup Command ]

Dear nixCraft,
I carry my Linux powered laptop just about
everywhere. How do I protect my private data stored on partition or
removable storage media against bare-metal attacks where anyone can get
their hands on my laptop or usb pen drive while traveling?
Sincerely, Worried about my data. Dear Worried Linux user,
That's
actually a great question. Many enterprises, small business, and
government users need to encrypt their laptop to protect confidential
information such as customer details, files, contact information and
much more. Linux supports the following cryptographic techniques to
protect a hard disk, directory, and partition. All data that is written
on any one of the following techniques will automatically encrypted, and
decrypted on the fly.

Linux encryption methods

There are two methods to encrypt your data:

#1: Filesystem stacked level encryption

eCryptfs
- It is a cryptographic stacked Linux filesystem. eCryptfs stores
cryptographic metadata in the header of each file written, so that
encrypted files can be copied between hosts; the file will be decrypted
with the proper key in the Linux kernel keyring. This solution is widely
used, as the basis for Ubuntu's Encrypted Home Directory, natively
within Google's ChromeOS, and transparently embedded in several network
attached storage (NAS) devices.

EncFS
-It provides an encrypted filesystem in user-space. It runs without
any special permissions and uses the FUSE library and Linux kernel
module to provide the filesystem interface. You can find links to source
and binary releases below. EncFS is open source software, licensed
under the GPL.

#2: Block device level encryption

Loop-AES
- Fast and transparent file system and swap encryption package for
linux. No source code changes to linux kernel. Works with 3.x, 2.6, 2.4,
2.2 and 2.0 kernels.

In
this post, I will explain how to encrypt your partitions using Linux
Unified Key Setup-on-disk-format (LUKS) on your Linux based computer or
laptop.

Step #1: Install cryptsetup utility

You need to
install the following package. It contains cryptsetup, a utility for
setting up encrypted filesystems using Device Mapper and the dm-crypt
target. Debian / Ubuntu Linux user type the following apt-get command:# apt-get install cryptsetup Sample outputs:

Step #2: Configure LUKS partition

WARNING!
The following command will remove all data on the partition that you
are encrypting. You WILL lose all your information! So make sure you
backup your data to an external source such as NAS or hard disk before
typing any one of the following command.

This command initializes the volume, and sets an initial key
or passphrase. Please note that the passphrase is not recoverable so do
not forget it.Type the following command create a mapping:# cryptsetup luksOpen /dev/xvdc backup2 Sample outputs:

Enter passphrase for /dev/xvdc:

You
can see a mapping name /dev/mapper/backup2 after successful
verification of the supplied key material which was created with
luksFormat command extension:# ls -l /dev/mapper/backup2 Sample outputs:

lrwxrwxrwx 1 root root 7 Oct 19 19:37 /dev/mapper/backup2 -> ../dm-0

You can use the following command to see the status for the mapping:# cryptsetup -v status backup2 Sample outputs:

You can dump LUKS headers using the following command:# cryptsetup luksDump /dev/xvdc

Step #3: Format LUKS partition

First,
you need to write zeros to /dev/mapper/backup2 encrypted device. This
will allocate block data with zeros. This ensures that outside world
will see this as random data i.e. it protect against disclosure of
usage patterns:# dd if=/dev/zero of=/dev/mapper/backup2 The dd command may take many hours to complete. I suggest that you use pv command to monitor the progress:# pv -tpreb /dev/zero | dd of=/dev/mapper/backup2 bs=128M To create a filesystem i.e. format filesystem, enter:# mkfs.ext4 /dev/mapper/backup2 To mount the new filesystem at /backup2, enter:# mkdir /backup2 # mount /dev/mapper/backup2 /backup2 # df -H # cd /backup2 # ls -l